Truthfully, I'm not sure. There is a way to get notifications from a second profile when on the main profile so I stands to reason there is something happening on the second profile. I don't use a second profile so I can't give a first hand account. It's why I posted the link for reference.

If the profile with Google services is quiesced like suspending your work profile, then no activity should be seen on the network at all. No keep alive no pings etc

Sandbox Google Play is just for GrapheneOS. As far as I know, doesn't work anywhere else.

I don't really understand this stuff super well, but... I suspect what it means is that Google can track you while google maps is open, BUT since it doesn't have access to the rest of your phone, they'll have no idea who you are anyway?

For grapheneos sandboxed means the Google apps are just regular apps, they don't have privilege, they're not escalated, they are exactly the same as other apps. Very specifically, it means Google services are only accessible in the user/profile that they are installed in, and not phone wide

If you use a Google service, or an app that interacts with the Google apps, then Google knows about it. In graphene OS you can choose what apps have access to Google services, by running them in a different profile.

but what does it mean when you say "Sandboxed?

By default, on a normal Android device, Google Play services are installed as a system application. It means that you can't remove it, and it can grant itself the permissions it needs. In contrary, regular user apps run in the Android application sandbox. They are installed by the user, have distinct permission controls that are enforced by the operating system and can be uninstalled at any time. Sandboxed Google Play is a compatibility layer created by the GrapheneOS team, which allows you to run Google Play services (which would normally require system privileges) to run as a normal user app in the regular application sandbox.

Yes, because the Google Wallet app requires a higher level of SafetyNet attestation, which can only be achieved when running an OS that's specifically whitelisted by Google.

Yep. That's a good clarification.

"Apps within the same profile can communicate with mutual consent and it's no different for sandboxed Google Play."

If GFS is installed on a profile, any app in that profile can use it to phone home.

I suspect that aspect is mostly mitigated, for me. by my not using a Gmail account to sign into any apps. Theoretically, it doesn't stop them from fingerprinting, in other ways.

Except:

"Google Play receives absolutely no special access or privileges on GrapheneOS as opposed to bypassing the app sandbox and receiving a massive amount of highly privileged access."

and

"As with any other app, it can't access data of other apps and requires explicit user consent to gain access to profile data or the standard permissions."

Means that GFS is going to be denied it's usual fingerprinting solutions.

Source: https://grapheneos.org/usage#sandboxed-google-play combined with professional experience with privacy technically, and a decent amount of (educated) speculation.

TL;DR:

Using separate profiles is better, particularly when using GFS.

But as someone who doesn't sign into any Google account and just wants a banking app to work, GFS on the main profile is still way better than stock Android.

Whan I installed messenger on my non-work profile, it kept crashing. On the work profile with microG it works. I think it still at least limits the access